Prerequisites Checklist

  • Tenable.ad works with Windows Server 2016 with the latest available update.

  • Tenable.ad installation program requires Local Administrator rights on Windows Server 2016. If the account used for the installation is the default account, ensure that this account can run programs without restrictions.

  • Tenable Identity Exposure services require Local Administrator rights to run local services on the machine.

  • Tenable Identity Exposure requires a dedicated data partition. Do not run Tenable.ad on the OS partition to prevent system freeze if the partition is full.

  • Tenable Identity Exposure SQL instance requires the virtual accounts usage feature.

  • Tenable Identity Exposure must run as a black box. Dedicate each machine to Tenable Identity Exposure and do not share it with another product.

  • Tenable.ad can create any folder starting with the ‘Alsid’ or ‘Tenable’ prefix on the data partition. Therefore, do not create folders starting with "Alsid" nor "‘Tenable" on the data partition.

  • Erlang: Do not modify the HOMEDRIVE environment variable. The PATHEXT environment variable must contain the .exe and .bat file extensions.

  • If you must set the AD service account of Tenable Identity Exposure as a Protected Users group member, ensure your Tenable Identity Exposure configuration supports Kerberos authentication, because Protected Users cannot use NTLM authentication.

This table resumes the prerequisites in a handy checklist before installation.

Information or Resource to Reserve

Status

The required agreements (NDA, Evaluation Software License), if applicable

 

The choice of architecture (centralized or distributed)

 

The number of active AD users in the targeted domains to monitor

 

The computing and memory resources based on Tenable Identity Exposure’s sizing matrix.

 

The private IP of each virtual machine used to deploy Tenable’s platform

 

The type and IP address of the update management infrastructure

 

The type and IP address of the time server

 

The type and IP address of the PKI server

 

The type and IP address of the identity provider

 

Open required network flows for each service that Tenable Identity Exposure requires.

 

The private IP addresses of each Primary Domain Controller emulator

 

Creation of a regular user account on each Active Directory forest to monitor.

 

On the specific Active Directory containers, grant access right to the Tenable service account.

 
Grant access for Privileged Analysis if you want to enable this feature.  

The AD domain user account login:

  • Format: User Principal Name, for example “” (recommended for Kerberos compatibility) or NetBIOS, for example “DomainNetBIOSName\SamAccountName”.

 

A TLS certificate issued for Tenable Identity Exposure’s Web Portal issued from the customer’s PKI

  • Otherwise, inform Technical Lead of the use of self-signed certificate.

 

The list of Tenable Identity Exposure user accounts to create:

  • Required information: first and last name, email address, and desired login.

 

The list of optional configurations to activate (email notification, Syslog event forwarding, etc.)

 

An identified and available project coordinator to work with Tenable.

 

Technical staff to respond to potential technical issues such as network filtering issue and unreachable PDCe.